fielded capability: end-to-end vpn a sek-13-3-q.pdf · top secret//comint//rel usa, aus, can, gbr,...

Fielded Capability: End-to-End VPN SPIN 9 Design Review

The overall classification for this brief is: TOPSECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

MAT A Sek-13-3-q.pdf, Blatt 1

TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZU/20320108

VPN Spin 9 Fielded Capability Upgrade

(U) Current Fielded Capability

• (TS//SI//REL) All current TURMOIL Virtual Private Network (VPN) capabilit ies are fielded as Spin 6 Red Architecture software running on Red Architecture hardware.

VPN Metadata

Red TEC No capability after Blue transition

on 17-Sep YRS

SSO

MHS L ive

MHS Dev

No capability

No capability

Red

No capability

VPN D e c r y p t i o n Red

No capability after Blue transition on 17-Sep

No capability

No capability

Red

No capability

T O P RFC:RFT//r:OMINT//RFI USA AMR H A N ORR M7I //?fl3?nirifi 2




(U) Spin 9 Objectives

• (S//SI//REL) The Spin 9 Objective for the TURBULENCE (TU) VPN Private capability is to transition to the Blue Architecture.

(S//SI//REL) Spin 9 VPN will implement a redesign of the decryption f low that reallocates some functionality between TURMOIL, the VPN Attack Orchestrator (VAO), and the VPN Metrics service.

(U) Deliver all capabilit ies as deployable at the end of Spin 9.





(U) Capabilities

(TS//SI//REL) The TU VPN capability will implement an operational capability to detect and decrypt selected communicat ions that are encrypted using IP security ( IPsec) algorithms and protocols. It will forward the unencrypted content to follow-on processing systems.

(TS//SI//REL) The TU VPN capability will collect metadata about IPsec Internet

Key Exchange (IKE) events and forward the metadata to follow-on SIGINT

Development (SIGDEV) systems.

T O P RFORFT/ /OOMINT/ /RF I USA AMR OAN ORR M7I //?fl3?niri8 4




(U//FOUO) Exploited Protocols

(TS//SI//REL) IPsec a u t o m a t i c key m a n a g e m e n t p r o t o c o l s establish security associations between communicants. A s e c u r i t y a s s o c i a t i o n (SA) is a relationship between a source and a destination that includes a session key and other parameters. The VPN capability exploits the following key management protocols:

• (U) ISAKMP - Internet Security Associat ion and Key Management Protocol (RFC2407, RFC2408) provides the authentication and key exchange framework.

• (U) IKE - Internet Key Exchange (RFC2409) provides the authentication and key exchange mechanisms.





(U//FOUO) Exploited Protocols (continued)

(TS//SI//REL) IPsec s e c u r i t y p r o t o c o l s provide integrity, confidentiality, and authentication for higher layer IP protocols. IPsec security protocols use security associations previously established either manually or by automatic key management protocols (IKE). The VPN capability targets SA's that are established by IKE. The VPN capability exploits the following security protocol:

• (U) ESP - Encapsulating Security Payload (RFC2406) provides traffic confidentiality (via encryption) and optionally provides authentication and integrity protection.

T O P RFORFT/ /OOMINT/ /RF I USA AMR OAN ORR M7I //?fl?!?f11f1fi 6




(U) IPsec Operation ( A l i c e s Bob)

ISAKMP/IKE Phasel Unencrypted Handshake ISAKMP/IKE Phasel ISAKMP

SA ISAKMP/IKE Phase2 ^ E n c r y p t e d H a n d s h a k e ̂ ISAKMP/IKE Phase2 I

Security Association

Database

Alice @ IP Source

Security Association

Database

ISAKMP SA

i N ESP Cleartext ESP Cleartext > B o b @ IP Destination

• (U) An SA is identified by a 4-tuple <SrclP, DstIP, SPI , SecurityProtocol>, where the SPI (Secur i ty Parameter Index) is chosen by DstIP for SA uniqueness.

• (U) The Bi-directional ISAKMP SA is negotiated in P h a s e l and protects the ESP key negotiations in Phase2.

• (U) A Uni-directional ESP SA is negotiated in Phase2 and is used to protect the user's cleartext.

• (U) Reverse communicat ion (Bob •=> Alice) requires a separate ESP SA and is negotiated using the same ISAKMP SA as used for (Alice •=> Bob).

T O P RFC:RFT//r:OMINT//RFI USA AMR H A N ORR M7I //?fl?!?f11f1fi 7




(U) IPsec Modes

r IP Hdr: Src=A, Dst -B ESP Header Encrypted Data ESP Trailer

(U) T r a n s p o r t M o d e • (U) Original IP Header is preserved

• (U) ESP Header and Trailer encapsulate and encrypt remaining IP Packet

i t \<Security GatewayV^ Internet

IP Hdr: Src=F A , Dst=F E ESP Header Encrypted IP Hdr: Src=A, Dst=B Encrypted Data ESP Trailer

(U) T u n n e l M o d e

• (U) Security Gateway at source encapsulates, encrypts, and adds new IP Header to original packet.

• (U) Security Gateway at destination recovers and forwards original packet.

• (U) Identities of traffic source and destination is concealed

• (U) Extra padding also may be added to hide packet size T O P RFORFT/ /OOMINT/ /RF I IJ RA AMR OAN ORR M7I //?fl8?ri1 flft 8




(S//SI//REL) TU VPN Products

X (TS//SI//REL) B u n d l e d d e c r y p t are the decrypted packets from an ESP Security Associat ion prior to any session or application processing.

• (TS//SI//REL) S e s s i o n i z e d d e c r y p t e d p a c k e t s are the decrypted packets that have been recursively processed by the TURMOIL Stage 1 sessionizer for SIGDEV.

• (S//SI//REL) Se lected a p p l i c a t i o n s e s s i o n s are the recursed TURMOIL sessions that have been selected by KEYCARD strong selection and subsequently processed by TURMOIL Stage 2 application processing.

• (S//SI//REL) IPsec m e t a d a t a are derived from IKE events for VPN SIGDEV.

• (S//SI//REL) VPN m e t r i c s are produced by CES CA components for internal use.

T O P RFORFT/ /OOMINT/ /RF I USA AMR OAN ORR M7I //?fl8?ri1 flft 9




(S//SI//REL) TU VPN Product Dataflows

X (TS//SI//REL) B u n d l e d d e c r y p t are delivered directly to WEALTHYCLUSTER 2.0 (WC2.0) v ia TUBE from TURMOIL as packets for application processing that is not available in TURMOIL.

• (TS//SI//REL) S e s s i o n i z e d d e c r y p t e d p a c k e t s are delivered without selection (full-take) to XKEYSCORE from TURMOIL for target SIGDEV.

(S//SI//REL) Se lected a p p l i c a t i o n s e s s i o n s are delivered to PRESSUREWAVE via TUBE format conversion and EXOPUMP where data and metadata object are created and inserted into PWV for legacy analytics and analysis tools.

• (S//SI//REL) IPsec m e t a d a t a are delivered to TOYGRIPPE via PWV where an analytic converts IPsec metadata to TGIF format and pushes it to TOYGRIPPE.

(S//SI//REL) VPN m e t r i c s are delivered to CA Resources by the TURMOIL PIQ blade via CES firewall.

Reference: VPN Spin 9 Dataflows

T O P RFORFT/ /OOMINT/ /RF I USA AMR OAN ORR M7I //?n3?ri1 f lf i 10




(S//SI//REL) TU VPN Product Retrieval Mechanisms

X (S//SI//REL) WC2.0

• An analyst uses the AGILITY interface on WC2.0 to view selected traffic as the intended recipient would see it. ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^

• (S//SI//REL) PRESSUREWAVE

• The PRESSUREWAVE analytic and standing query pulls, reformats, and pushes metadata objects to TOYGRIPPE.

• (S//SI//REL) TOYGRIPPE

• A SIGDEV analyst uses the TOYGRIPPE query interface to pull VPN metadata.

T O P RFORFT/ /OOMINT/ /RF I USA AMR OAN ORR N 7 I / / ? f 1 3 ? n i n 8 11




(U//FOUO) Selection Mechanisms • (S//SI//REL) P r o t o c o l Se lec t ion - Identify VPN traffic in IP traffic

• IKE: version=4, 0x05<hdrl_en<0xff, nxtProtocol=17, srcPort=500, dstPort=500

• ESP: version=4, hdrl_en=5, nxtProtocol=50

• (S//SI//REL) S e s s i o n Se lec t ion - Identify session packets in VPN traffic

• IKE: srclP, dstIP, srcPort, desPort, nxtProtocol (5-tuple)

• ESP: srclP, dstIP, SPI

• (TS//SI//REL) Target Se lec t ion - Identify, select, and task target in VPN sessions

• K E Y C A R D performs target selection lookup with IP selectors

• K E Y C A R D lookup result determines tasking disposit ion:

• Not TRANSFORM (no action)

• TRANSFORM (decrypt)

• TRANSFORM+SURVEY (decrvot and send to XKEYSCORE)

• T R A N S F O R M + F O R W A R I ^ d a a ^ a m J send to WC2.0)

• TRANSFORM+SURVEY+FORWARD (decrypt and send to X K E Y & WC2.0)

T O P RFORFT/ /OOMINT/ /RF I USA AMR OAN ORR M7I //?fl3?nirifi 12




(U) Design Constraints

(TS//SI//REL) Spin 9 VPN will use the following components:

Capab i l i t y C o m p o n e n t

PIQ-Blade

F u n c t i o n

Extends the CES enclave to TURMOIL for decryption and other CA processing

VPN Identification

and Decryption

VPN Metadata

XWC2.0

VPN Attack Orchestrator

(VAO)

TOYGRIPPE

Receive bundled decrypt for application processing

Provides IKE / ESP matching functionality. It communicates with the PIQ-Blade and is located behind the CES Firewall.

Receives VPN SOTF Metadata via PRESSUREWAVE

Deve loper

CES/ESO

TU

CES/SAO/ Txx

CES/ESO





(U) Delivery Constraints

(TS//SI//REL) Spin 9 VPN will use the following delivery mechanisms:

Capab i l i t y

VPN Identification

and Decryption

M VPN

Metadata

P r o d u c t

X Bundled decrypt for WC2.0

Sessionized decrypted packets from TURMOIL Data Store to

XKEYSCORE

VPN IKE setup metadata for PRESSUREWAVE

VPN IKE setup metadata for TOYGRIPPE

Format

SOTF

SOTF

SOTF

TGIF

M e c h a n i s m

MAILORDER

Socket

Socket via TUBE and EXOPUMP

MAILORDER via VPN Analytic

T O P RFORFT/ /OOMINT/ /RF I USA AMR OAN ORR M7I //?fl8?f11f1ft 14




(U) Management Constraints

• (S//SI//REL) All VPN deployments must be approved by Chief CES





(U) Second and Third Party Constraints

(TS//SI//REL) Spin 9 VPN identification and decryption capability will not deploy

to Third Party TU Sites.

(U//FOUO) Spin 9 VPN metadata capability will deploy to all TU sites.





(U) What Spin 9 VPN wil l do

• (S//SI//REL) Packet De tec t ion

• Detect IKE exchanges

• Detect ESP packets

• (S//SI//REL) IPsec Metadata F l o w

Bundle all detected IKE with SRI and send to PWV

Reference: VPN Spin 9 Sequence Diagram

T O P RFC:RFT//r:OMINT//RFI USA AMR H A N ORR M7I //?fl3?niri8 17




(U) What Spin 9 VPN wil l do (continued)

• (TS//SI//REL) ESP D e c r y p t i o n F l o w

• When IKE exchange is observed, lookup IP addresses in KEYCARD. If tasked for collection, forward to VAO.

• When ESP is observed, lookup IP addresses in KEYCARD. If tasked for collection, request key from VAO.

• If decrypt key is provided by VAO, decrypt ESP packet.

• Send VPN decrypt metrics to CES VPN Metrics Service in CA Enclave.

• Recurse decrypted packets to find identifiers tasked for T U R M OL processing.

• Send selected sessions to PWV via TUBE and EXOPUMP.

• Sessionize all decrypted packets and pass to XKEYSCORE for SIGDEV.

XB Forward all decrypted packets to WC2.0 for additional application processing.

• Process only Tunnel mode ESP packets.

T O P RFORFT/ /OOMINT/ /RF I MRA AMR OAN ORR M7I //?fl8?f11f1ft 18




(U) What Spin 9 VPN wil l not do

• (S//SI//REL) Wi l l n o t p r o c e s s IPsec in o t h e r p r o t o c o l i m p l e m e n t a t i o n s

• Will not perform pattern-based IKE / ESP detection.

• Will not process TCP/500, UDP/4500, or TCP/4500 implementations.

• Will not process IKEv2 (RFC4306).

• (S//SI//REL) Wi l l n o t p r o c e s s non- IPsec based VPNs • TU VPN capability will only process IPsec based VPNs.





(U) End-to-end test

• (TS//SI//REL) IKE and ESP test packets must use coordinated security associations

• (S//SI//REL) Use both synthetic (lab generated) and live collect test data

• (S//SI//REL) Live test data may only be processed through PIQ blade

• (TS//SI//REL) Test data characterization must include:

• 5-tuples (sourcelP, des t ina t ion^ , protocol, sourcePort, destinationPort)

• Number of IKE packets

• Number of ESP packets

• Unencrypted ESP payload content

T O P RFORFT/ /OOMINT/ /RF I MRA AMR OAN ORR M7I //?fl3?niri8 20




(U) Test S c e n a r i o s

•(S//SI/ /REL) "Sunny Day" Scenarios. Single VPN with all IKE/ESP packets available and VPN Match. Exercise KEYCARD tasking option combinations.

• (TS//SI//REL) Transform - Decrypt to PRESSUREWAVE; IKE to TOYGRIPPE

• (TS//SI//REL) Transform & Survey - Decrypt to PRESSUREWAVE & XKEYSCORE; IKE to TOYGRIPPE

• (TS//SI//REL) Transform & Forward - Decrypt to PRESSUREWAVE & XWEALTHYCLUSTER 2.0; IKE to TOYGRIPPE

• (TS//SI//REL) Transform & Survev & Forward - Decrypt to PRESSUREWAVE, XKEYSCORE, X WEALTH YCLUSTER 2.0; IKE to TOYGRIPPE

• (S//SI//REL) Not Transform - IKE to TOYGRIPPE





(U) Test S c e n a r i o s ( c o n t i n u e d )

• (U) Failure Scenarios.

• (TS//SI//REL) ESP Decryption fails because bad key is returned by VAO.

• (S//SI//REL) VAO responds with no key recovered.

• (S//SI//REL) VAO key response t imeout.

• (S//SI//REL) VAO key response received after response t imeout.

• (S//SI//REL) VAO response received after TDS hold time expires and ESP is not available.

• (S//SI//REL) Phase 1 and Phase 2 IKE is complete, but no ESP is collected.

• (S//SI//REL) ESP is collected, but no IKE is collected.





(U) Test S c e n a r i o s ( c o n t i n u e d )

• (S//SI//REL) Miscellaneous Scenarios.

• (S//SI//REL) Multiple, rapid (< 30 second) Phase 2 re-keys for same initiator / responder pair.

• (S//SI//REL) Two VPN sessions collected concurrently for same IP source.

• (TS//SI//REL) Decryption f low can be disabled.

• (S//SI//REL) IKE Metadata flow can be disabled.

T O P RFORFT/ /OOMINT/ /RF I USA AMR OAN ORR M7I //?fl?!?f11f1fi 23


TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZU/20320108 VPN Spin 9 Development & Integration Activities

Metadata Flow

Decryption Subflow: IKE & ESP Sessions to TDS

Decryption Subflow: PIQ Blade processing ML l&T (TML + APP)

Decryption Subflow: process and recurse decrypted packets

Decryption Flow

TU l&T

VPN Analytic

TML l&T Decrypt (APP) - 1 9 Oct

VAO (CE^/S^p) p p F A p p ( A P P ) & sessionizei^or I K H M t ^

VPN Metrics (CES)

TDS (TML)

TOP R F n R F T / / r r i M i N T / / R F i i J S A A U ? ; H A N O R R M 7 i //?ri3?riiri8 iBridge (TML) T M I IÄT (TMI + A P P 1 24


TOP SECRET//COMINT//20320108

VPN SPIN 9 Dataflows

XKEYSCORE

Internet Key Exchange (IKE)

_VPN7 T Socket Connection C: Sessionized Decrypted Packets F: SOTF

VPNS T: Socket Connection C: IKE Records F: SOTF

, aVPN6 " T: Socket Connection

C: Selected Application Sessions* F: SOTF

VPN9* T: MAILORDER C: Selected Application Sessons* F: SOTF

VPN8 T: MAILORDER C: IKE Records F: SOTF

Note * Selected Application Sessions are identified and selected from the decrypted packets extracted

from the VPN tunnel and inserted into the TURMOIL input stream.

EXOPUMP

Encapsulating Security Payload (ESP)

TURMOIL

PIQ Blade

KEYCARD Interface Key T = Transport C = Content F = Format

VPN1 T: Socket Connection C: Selector Hit Query/Response F: Binary

Dataflow Key Selector Lookup VPN Metrics PIQ Blade Monitoring ESP Key Request/Response IKE Messages Selected Application Sessions IKE Records Sessionized Decrypted Packets

J/PN2 _ _ "T: Secure Socket (SSL)

C: VPN Metrics F: SOAP

_VPN18 ~T: Secure Socket (SSL)

C: PIQ Blade Monitoring F: WebSA

VPN3 , T: Secure Socket (SSL) C: ESP Key Requet/Response F:SOAP

«VPN4 _ _ *T: Secure Socket (SSL) C: IKE Messages F: SOAP

CD $ CD -t—' CCS

CD

X CO LU

O

CD

35

CO LU

o

VPN Metrics

CES Watch

VAO

VPN11 ' T: ITx (JMS)

C: Selected Appl Sessions* F: XML/SOTF

_VPN10 T: ITx (JMS) C: IKE Records

PRESSURE-WAVE

METROTUBE

VPN12 T: ITx (JMS) C: IKE Records F: SOTF

VPN Analytic VPN13 T: MAILORDER C: IKE Records F: TGIF

TOYGRIPPE

TOP SECRET//COMINT//20320108 25



VPN SPIN 9 Metadata Dataflows o Internet Key Exchange (IKE)

TUBE VPN5 T: Socket Connection C: IKE Records F: SOTF

VPN8 T: MAILORDER C: IKE Records F: SOTF

1 EXOPUMP

TURMOIL

Interface Key T = Transport C = Content F = Format

Dataflow Key

IKE Records

VPN10 T: ITx (JMS) C: IKE Records F: XML/SOTF

PRESSURE-WAVE

METROTUBE

VPN12 T: ITx (JMS) C: IKE Records F: SOTF

VPN Analytic

TOYGRIPPE.

VPN13 T: MAILORDER C: IKE Records F: TGIF




VPN SPIN 9 Decrypt Dataflows

XKEYSCORE

— Internet Key Exchange (IKE)

Encapsulating Security Payload (ESP)

TURMOIL

TUBE

VPN7 T: Socket Connection C: Sessionized Decrypted Packets F: SOTF

KEYCARD

2

Interface Key T = Transport C = Content F = Format

VPN1 T: Socket Connection C: Selector Hit Query/Response F: Binary

_VPN6 T: Socket Connection C: Selected Application Sessions* F: SOTF

VPN9 T: MAILORDER C: Selected Application Sessons* F: SOTF

t EXOPUMP

Note * Selected Application Sessions are identified and selected from the decrypted packets extracted

from the VPN tunnel and inserted into the TURMOIL input stream.

PIQ Blade

VPN2

Dataflow Key Selector Lookup VPN Metrics PIQ Blade Monitoring ESP Key Request/Response IKE Messages

Selected Application Sessions

Sessionized Decrypted Packets

T: Secure Socket (SSL) C: VPN Metrics F: SOAP

_VPN18 "T: Secure Socket (SSL) C: PIQ Blade Monitoring F: WebSA

VPN3 " t : Secure Socket (SSL) C: ESP Key Requet/Response F: SOAP

.VPN4 — _ "T: Secure Socket (SSL) C: IKE Messages F: SOAP

>, CO CD -I—» CO

Ü

X CO LU u

CO

CO LU

o

VPN Metrics

CES Watch

VPN 11 T: ITx (JMS) C: Selected Appl Sessions* F: XML/SOTF PRESSURE-

WAVE

27


Stage 0 TURMOIL KEYCARD TUBE

TOP SECRET//COMINT//20320108 XKEYSCORE EXOPUMP VAO PWv VPN Metrics VPN Analytic CES Watch TOYGRIPPE

IKE Packet

Aggregate/Sessionize;

IKE Metadata-( J ) )KE Metadata-

TRANSFORM or (TRANSFORM * " and SURVEY) '

ÖIKE Select Query *

_ L IKEse lec t ,

. I Response™ Aggregate

IKE Metadata-

ESP Packet"

(H) •IKE Messages-

-VPN Metfics (SOAP)-

TRANSFORM or (TRANSFORM i and.SU RVEY)

SP Select Query

ESP Selec! Response"

!

_J Aggregate -ESP Key Request-

-VPN Metrics (SOAP)-

Key Recovered

•ESP Key Response-

Decryption

® -VPN Metrics (SOAP)-

if (TRANSFORM andSURVEY) Recursion for Sessionization

essionized Decrypted Packet:

if (TRANSFORM) Recursion for Tunnel Selection and Application Processing i i

Selected Application Sessions"

i

Selected

CM)

y Applicatio i Sessions

•IKE Metadata-

Selected Application Sessions"

•PIQ Blade Monitoring

( J > 1 IKE Metadata-

0 Socket

(J) MAILORDER

4) ISLANDTRANSPORT (JMS)

H Secure Socket Layer (HTTPS)



http://and.SU


VPN Spin 9 Metadata Design Details

Mission Application }

T O P RFf*:RFT//r :nMINT / /RFI USA AMR H A N ORR M7I //?n3?ri1 f lf i 29


TOP SECRET//COMINT//REL USA, AUS, CAN, GBR, NZL//20320108

VPN Spin 9 Decryption Design Details

Metadata EventGen

erator

Pacta! Procwdng Framework

Stage 0

DFID Allocator

G e n e r a t o r * ^

DFCE <bus>

Sessionizer

WC2

Mailorder Router Service

Packet Data Keyword Management

Session Data

^ §0 Iff

SIGDEV 1 VL/C 1 sessions

T D K Component

T O P S F C R F T / / C n M I N T / / R F I I ISA AUS C A N GRR M7I / /?n3? f ) i na 30



VPN3

VPN4

VPNS

VPN8

VPN9

VPN 12

VPN Spin 9 Interfaces Source

TURMOIL

PIQ Blade

PIQ Blade

PIQ Blade

TML Home

Destination

KEYCARD

CES

CES VAO

CES VAO

TUBE

Content

Selector Query/Response

VPN Metrics

ESP Crypto-variable Request/Response

IKE Message

IKE Data/Metadata

Format

Binary

SOAP/HTTPS

SOAP/HTTPS

SOAP/HTTPS

SOTF

VPN6 TML Home TUBE » ^ 5 2 ^ & *™ VPN7 TML Home XKEYSCORE

TUBE

TUBE

VPN 10 EXOPUMP

VPN11 EXOPUMP

PWV

EXOPUMP

EXOPUMP

PWV

PWV

VPN Analytic

Decrypted Session

IKE Data/Metadata

Selected Session, Decrypted & Recursively Processed

IKE Data/Metadata

Selected Session, Decrypted & Recursively Processed

IKE Data/Metadata

VPN 13 VPN Analytic TOYGRIPPE

VPN 14 TML Home TEC WC2.0

IKE Data/Metadata

Bundled Decrypt

SOTF

SOTF

SOTF

SOTF

SOTF

SOTF

TGIF

SOTF

;d

Schema / ICD

cns.xsd

VPNMetrics.xsd

VAOESP.xsd

VAOIKE.xsd

DataBundleOutput.> VPNDataBundle.xsd

TURMOIL/core VPNDecrypt.xsd


DataBundleOutput.xsd VPNDataBundle.xsd



PWV Schema


PWV Schema


r V u V o C r i c l l l c l

TGIF ICD


Changes Transport

No Socket

Yes Socket (SSL)

Yes Socket (SSL)

Yes Socket (SSL)

Yes Socket

Yes

Yes

Yes

Yes

Yes

Yes

No

Socket

Socket

Yes MAILORDER

MAILORDER

ITx

ITx

ITx

MAILORDER

Yes MAILORDER

31 T O P RFORFT/ /OOMINT/ /RF I IJSA Al JS OAN ORR M7I //?n3?fnflft



I VPN Specific BME

protocolNamespace 900667 str ing

keyExchange

espspi

nextProtocol

appID

ikeCookie

ikePayload

survey

protocol

600533 str ing

55002 uint32

37007 uintB

114000 str ing

900633 str ing

900632 str ing

900790 str ing

2001 String

xxxxxxxx-xxxx xxxx-xxxx-

xxxxxxxxxxxx

' ipsec/ike'

'IKE'

xxxxxxxx

IPTUNNEL=4

'vpn/esp'

8 chars

68 chars

'vpn/esp'

'vpn/esp'

• Recursed packets XKEYSCORE session

• WC2.0 decrypt

• PWV Metadata

• PWV Metadata

XKEYSCORE session • WC2.0 decrypt



• PWV Metadata

PWV Metadata

16-byte Universally Unique ID that associates IPsec packets in processing history

Identify IPsec as transport protocol layer

Flags IPsec IKE event

4-byte SPI f rom ESP packet

Identifies IP Tunnel in processing history

Identifies VPN/ESP in XKEYSCORE Session

Destination cookie f rom IKE packet

Raw payload extracted f rom IKE packet

Identifies VPN/ESP in protocol history as weakly XKEYSCORE session selected indicating session should not be

forwarded to PRESSUREWAVE.

• Recursed packets XKEYSCORE session Identifies VPN in processing history

• WC2.0 decrypt

T O P RFORFT/ /OOMINT/ /RF I USA AMR H A N ORR M7I //?n.^?fl1flft 32



Questions?

T O P RFORFT/ /OOMINT/ /RF I IJSA Al JR OAN ORR M7I //?n3?niflS 33



Background

T O P RFORFT/ /OOMINT/ /RF I IJSA Al JR OAN ORR M7I //?n.^?fl1flft 34



| KEYCARD

(U) Inputs

• (U) Application ID: VPN

• (U//FOUO) Raw Selectors: IP addresses of sessions carrying the IKE exchange

• (U) Context: Packet IP addresses both source and destination (properly identified) with realm derived from network universe

(U) Processing

• (S//SI//REL) Lookup raw selectors and report hit/no-hit results.

• (S//SI//REL) Return tasking for hits.

(U) Outputs • (U//FOUO) Evaluated Selectors:

• Hit or No-Hit indicators • Target match data if necessary

T O P RFORFT/ /OOMINT/ /RF I IJSA Al JR OAN ORR M7I / /?f l8?ri1 flft 35



TURMOIL VPN Metadata Processing

(U) Inputs • (U) Raw packets

(U) Processing • (S//SI//REL) Detect IKE exchanges at UDP source and destination ports 500 • (S//SI//REL) Extract IP addresses, responder cookie, message ID, ISAKMP

payload

• (S//SI//REL) Bundle all IKE detect messages with SRI

(U) Outputs • (S//SI//REL) SOTF object containing metadata and IKE packets

T O P RFORFT/ /OOMINT/ /RF I IJSA Al JR OAN ORR M7I //?fl3?f11flft 36



TURMOIL VPN Decrypt Processing

(U) Inputs • (U) Raw packets

• (U) Selection results from KEYCARD

(U) Processing • (S//SI//REL) Detect ESP packets and extract IP addresses and SPI • (S//SI//REL) Match tasked IKE exchange packets with an ESP packet stream • (S//SI//REL) Generate UUID and assign to VPNID for unique exchange ID • (S//SI//REL) Send Crypto-variable Request to the CES V A O • (TS//SI//REL) If the key is returned, decrypt the ESP packets • (TS//SI//REL) Send decrypt metrics to the CES VPN Metrics service • (TS//SI//REL) Recurse all decrypted packets from the VPN. • (TS//SI//REL) Sessionize all decrypted packets, pass sessions to XKEYSCORE X (TS//SI//REL) Forward all decrypted packets to a WC2.0 for application processing.

(U) Outputs X (TS//SI//REL) Decrypted packets to a WC2.0 • (TS//SI//REL) Decrypt metrics to VAO • (TS//SI//REL) Sessionized decrypted packets to XKEYSCORE • (S//SI//REL) Selected application SOTF

T O P RFORFT/ /OOMINT/ /RF I IJSA Al JR OAN ORR M7I //?fl3?f11f1ft 37



XKEYSCORE

(U) Inputs • (S//SI//REL) Sessionized collect in SOTF format.

(U) Processing • (S//SI//REL) Recovers and archives session content. Databases metadata for query by analysts. XKEYSCORE can also perform keyword scanning and optionally forward selected data back to PINWALE. Presence tips can also be sent to TRAFFICTHIEF.

T O P S F C R F T / / C D M I N T / / R F I I ISA AUS C A N GRR N7I / /?n3? f ) i na 38



i TUBE (ID and Decryption) ion) (U) Inputs • (U) SOTF objects.

(U) Processing • (C//SI//REL) Defragments fragmented sessions, creating an SOTF object with the

complete session. • (C//SI//REL) Examines the BME to determine if the session should go to PWV. • (C//SI//REL) Creates a new SOTF object, placing the received or defragged

SOTF object into the data section. The BME of the newly created object contains classification metadata*, as well as certain fields such as session ID and signalUpTime replicated from the BME of the original received SOTF object.

* NOTE: Classification metadata needs more discussion to determine appropriate origination. TURMOIL may assume some responsibilities.

• (U) Determines appropriate routing (MAILORDER FDI) and forwards the new SOTF object to EXOPUMP via MAILORDER.

• (U) Optionally (configurable) wrap multiple objects destined for EXOPUMP/PWV into one MAILORDER file to reduce the number of individual files transmitted.

(U) Outputs

• (U) SOTF objects.

T O P RFORFT/ /OOMINT/ /RF I IJSA Al JR OAN ORR M7I //?fl3?niri8 39



1 TUBE (Metadata) (U) Inputs


(U) Processing • (C//SI//REL) Examines the BME to determine if the session should go to PWV. • (U) Determines appropriate routing (MAILORDER FDI) and forwards the new

SOTF object to EXOPUMP via MAILORDER. • (U) Optionally (configurable) wrap multiple objects destined for EXOPUMP/PWV

into one MAILORDER file to reduce the number of individual files transmitted.

(U) Outputs


T O P RFORFT/ /OOMINT/ /RF I USA AMR OAN ORR M7I //?fl3?f11flft 40



EXOPUMP

(U) Inputs

• (U) SOTF object from TUBE via MAILORDER.

(U) Processing

• (U) Extracts metadata from SOTF records for PWV XML metadata.

• (U) Inserts SOTF objects and XML metadata into PWV.

(U) O u t p u t s

• (U) PRESSUREWAVE metadata object.

T O P S F C R F T / / C D M I N T / / R F I I ISA AUS C A N GRR N7I / / ? n 3 ? n i f ) 8 4 1



PRESSUREWAVE

(U) Inputs • (S//SI//REL) VPN metadata including IKE payload objects with associated

metadata represented in XML. • (U//FOUO) Selected application data objects with associated metadata

represented in xml.

(U) Processing • (S//SI//REL) PWV hosts a persistent (or standing) query created by the VPN

analytic. When new metadata arrives that matches the query, the VPN analytic is notified and pulls the associated metadata and IKE packets for further processing.

• (U//FOUO) PWV serves as data store for TU analytics

(U) Outputs • (S//SI//REL) The metadata and IKE packets are forwarded to VPN analytic via

ITx (JMS messaging service).

T O P S F C R F T / / C D M I N T / / R F I I ISA AUS C A N GRR N7I / / ? n 3 ? n i f ) 8 42



) VPN Analytic

(U) Inputs • (S//SI//REL) Persistent query to detect VPN metadata/IKE packets in

PRESSUREWAVE • (S//SI//REL) SOTF files containing IKE packets

(U) Processing • (U//FOUO) Convert SOTF to TGIF records

(U) Outputs • (S//SI//REL) MAILORDER files with TGIF records containing intercepted IKE

packets




TOYGRIPPE

(U) Inputs • (U//FOUO) TGIF ("The Grand Input Format") records based on TML collected metadata.

(U) Processing • (U//FOUO) TOYGRIPPE 3.2 system accepts TGIF files sent by MAILORDER as bundled "tar" files. • (TS//SI//REL) TOYGRIPPE unbundles, validates, and stores the VPN metadata from the TGIF files into a database for later access by Analysts primarily through a web browser interface. TOYGRIPPE supports data processing and storage for PPTP and IPSec VPN metadata records.

T O P RFORFT/ /OOMINT/ /RF I IJSA Al JR OAN ORR M7I //?fl3?f11flft 44



VAO

(U) Inputs • (S//SI//REL) IKE packets

• (S//SI//REL) ESP Crypto-variable (CV) Requests

(U) Processing

• (S//SI//REL) Generates ESP SA CV's from IKE packets

• (S//SI//REL) Matches ESP SA CV requests with generated CV's

• (S//SI//REL) Responds to ESP SA CV requests

(U) O u t p u t s * • (S//SI//REL) ESP Crypto-variable Response

* Note: VAO requests that multiple ESP packets also be sent for each session




VPN Metrics

(U) Inputs • (S//SI//REL) PIQ Blade VPN Processing Metrics

(U) Processing

(S//SI//REL) Internal to CES/CA Enclave

T O P S F C R F T / / C D M I N T / / R F I I ISA AUS C A N GRR N7I //?f)8?fl1flft 46



XWEALTHYCLUSTER 2.0

(U) Inputs • (S//SI//REL) Bundled decrypted packets in SOTF format v ia MAILORDER.

(U) Processing • (U) Signal identification

• (S//SI//REL) Protocol recognition, processing and sessionization

• (C//SI//REL) Application identification and processing

• (C//SI//REL) Link characterization aggregation

• (U//FOUO) Filtering, selection, and forwarding

• (U//FOUO) Strong selection

• (S//SI//REL) Persona session association

• (S//SI//REL) Session association

• (S//SI//REL) IP Decompression

• (S//SI//REL) Contact chaining

T O P RFORFT/ /OOMINT/ /RF I IJSA Al JR OAN ORR M7I //?fl3?f11f1ft 47


fielded capability: end-to-end vpn a sek-13-3-q.pdf · top secret//comint//rel usa, aus, can, gbr,...

Documents